After you replace the certificates of all Platform Services Controllers, vCenter Server instances and NSX Managers, replace the certificates on the Site Recovery Manager server instances.

About this task

You replace certificates twice, once for each Site Recovery Manager. You start by replacing certificates on mgmt01srm01.sfo01.rainpole.local, the Site Recovery Manager in Region A.

Table 1. Certificate-Related Files for Site Recovery Manager in Region A and Region B

File Name

Site Recovery Manager in Region A

Site Recovery Manager in Region B

CA Certificate Chain

chainRoot64.cer

chainRoot64.cer

PKCS#12 File Name from Manual Generation

mgmt01srm01.sfo01.p12

mgmt01srm51.lax01.p12

PKCS#12 File Name from the CertGenVVD tool

mgmt01srm01.sfo01.5.p12

mgmt01srm51.lax01.5.p12

Procedure

  1. Log in to the Site Recovery Manager virtual machine by using a Remote Desktop Protocol (RDP) client.
    1. Open an RDP connection to the following virtual machine.

      Region

      Site Recovery Manager

      Region A

      mgmt01srm01.sfo01.rainpole.local

      Region B

      mgmt01srm51.lax01.rainpole.local

    2. Log in using the following credentials.

      Setting

      Value

      User name

      Windows administrator user

      Password

      windows_administrator_password

  2. Install the CA certificates in the Windows trusted root certificate store of the Site Recovery Manager virtual machine.
    1. Locate the chainRoot64.cer file in C:\manual-certs folder.
    2. Double-click the chainRoot64.cer file to open Certificate import dialog box.
    3. In the Certificate dialog box, select the Install Certificate option.

      The Certificate Import Wizard appears.

    4. Select the Local Machine option for the Store Location and click Next.
    5. Select Place all certificates in the following store option, browse to select the Trusted Root Certificate Authorities store and click OK.
    6. On the Completing the Certificate Import Wizard page, click Finish.
  3. Replace the certificate on Site Recovery Manager with the one that you generated manually or by using the CertGenVVD tool.
    1. Open Programs and Features from the Windows Control Panel.
    2. From the list of programs, select VMware vCenter Site Recovery Manager and click Change.
    3. Select the Modify option on the Maintenance Options screen and follow the wizard until you reach the Certificate Type screen.
    4. Select the Use a PKCS#12 certificate file option and click Next.
    5. Browse to C:\manual-certs, select the mgmt01srm01.sfo01.p12 or mgmt01srm51.lax01.p12 file, and enter the certificate password VMware1! that you specified when generating the PKCS#12 file.
    6. Click Yes in the certificate warning dialog box and complete the modify installation wizard.
  4. To restore the connection between the two Site Recovery Manager sites after replacing the certificates with CA-signed certificates.
    1. Open a Web Browser and go to https://mgmt01vc01.sfo01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

    3. In the vSphere Web Client, click Site Recovery > Sites.
    4. Right-click the site mgmt01vc01.sfo01.rainpole.local and select Reconfigure Pairing.
    5. Enter the address of the Platform Services Controller lax01psc51.lax01.rainpole.local on the remote site and click Next.
    6. Select the vCenter Server instance mgmt01vc51.lax01.rainpole.local with which Site Recovery Manager is registered on the remote site, enter the vCenter Single Sign-On administrator user name administrator@vsphere.local and vsphere_admin_password password, and click Finish.
  5. Repeat the procedure to replace the default VMware-signed certificate with this one on mgmt01srm51.lax01.rainpole.local.